Adding MFA to RDP Sessions for Privileged Accounts

I recently returned from a large banking company in the Midwest. I was in awe to hear the number one frustration for their IT personnel was simply establishing a RDP (remote desktop protocol) session. The reason was this: a typical user had around a dozen or so administrator accounts, each with its own unique, complex password with a bare minimum of 24 characters. What a headache! Not only was their team required to memorize a dozen usernames, but they also had to know each account’s password. It was no wonder why establishing an RDP session was such a sore subject for their entire team.

If you are an IT administrator, you might be reading this and thinking to yourself “I face this issue almost every day!” Truth be told, nearly every organization I have spoken to is wrestling with this problem today. After all, these are the accounts which hold they keys to the kingdom and must be protected at all cost. It just is absolutely, under no circumstance, acceptable for any company to have passwords across these privileged accounts.

Thus, whenever I demonstrate to corporations that there is a solution to not only eliminate the need to memorize several administrator passwords, but also to significantly increase security to the servers that need the most protection, it is no surprise corporations tend to jump at the opportunity.

An easy solution for privileged accounts

The solution itself is quite simple. The DigitalPersona® platform has the ability to train an application to require multifactor authentication when beginning an RDP session. Since examples always help, let’s use my Midwest customer as an example. The workflow for them worked like this: the administrator, who for naming sake I’ll call Bob, opens an RDP client and starts the usual process of connecting to a backend server. Bob types in the server name in the computer field and is prompted for his authentication factors specified in the DigitalPersona platform. In his case, he had to input a username, password and a provide a fingerprint biometric. After Bob successfully authenticated, he was presented with a list of those dozen or so privileged accounts. After selecting the account he wanted to log into his session with, the terminal server itself prompts Bob once more for a One-Time Password (OTP) for added security. After he enters his 6-digit code provided through a secure app on his mobile phone, he is logged into the Terminal Server.

“But Ryan, I’m still not able to conceptualize the workflow!”

If you are a visual person, I put together a video highlighting the process. The video shows that you don’t have to struggle with managing these UN/PW combinations for RDP sessions and adding multifactor authentication can actually make the lives of your users a bit easier while at the same time providing greater protection for your organization.

Ryan Friess is a Solutions Engineer for Crossmatch DigitalPersona Composite Authentication. In this role, he is responsible for implementing and demonstrating the Crossmatch’s DigitalPersona® composite authentication solution. Ryan earned a Computer Engineering and Computer Science degree from Florida Atlantic University. He holds over six Citrix certifications in both networking and virtualization, as well as multiple Microsoft Server 2008 and 2012 certifications. Aside from enjoying being a technical engineer, Ryan enjoys spending his eating at his favorite sushi spots or taking a walk on the boardwalk in the sunny Florida weather.

Revisiting the NIST 800-63-3 SMS Authentication Conversation
GDPR – A Game-Changing Opportunity for Data Processors and Controllers
National Credit Union Compliance Audits: What You Need to Know